Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VMware vShield - Overview

3,134 views

Published on

VMware vShield - Overview

Published in: Technology
  • Be the first to comment

  • Be the first to like this

VMware vShield - Overview

  1. 1. VMware vShield – Foundation for the Most Secure Cloud Deployments © 2009 VMware Inc. All rights reserved
  2. 2. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization – Key Security Enabler  vShield Products  Use Cases  Summary 2 Confidential
  3. 3. Security Market Overview Segments We Address 3 Confidential Market Size in 2012 Endpoint Security Antivirus Security Operations Market Growth Rate Market Size($M) in 2009 $27B Worldwide in 2009 Anti-Virus $4,096 (7%) Application Security $2,987 (15%) Identity Mgmt $3,565(20%) Network Security $9,136 (8%) Data Security $3,258 (19%) Endpoint Security $3,001 (2%) $713 (8%) Source: FORRESTER, 2009 Network Security Identity Management Others
  4. 4. Security and Compliance are the Primary Concerns with Cloud Virtualization forms the foundation for building private clouds. Security must change to support both. Public Cloud Internal IT  Rate Card  Hands-off  Self-service 4 Confidential – Gartner, 2010 ? Security ? Control ? Compliance
  5. 5. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization – Key Security Enabler  vShield Products  Use Cases 5 Confidential
  6. 6. 6 Confidential • Limited control and visibility • Organizational confusion (VI, security, network) • Hindered IT compliance • Slow provisioning • Heightened risk exposures • VLAN sprawl • Gap between policy and enforcement • Manual re-implementation of security policies • Heightened risk exposures Security Challenges Traditional Security Expensive • Specialized hardware appliances • Multiple point solutions Rigid • Policy directly tied to implementation • Not virtualization and change-aware Effect Complex • Spaghetti of different rules and policies • Security “rationing” • Heightened risk exposures
  7. 7. The vShield Advantage: Increased Security Traditional Security vShield Complex • Spaghetti of different rules and policies 7 Confidential Cost Effective • Single virtual appliance with breadth of functionality • Single framework for comprehensive protection Simple • No sprawl in rules, VLANs, agents • Relevant visibility for VI Admins, network and security teams • Simplified compliance Adaptive • Virtualization and change aware • Program once, execute everywhere • Rapid remediation Expensive • Specialized hardware appliances • Multiple point solutions Rigid • Policy directly tied to implementation • Not virtualization and change-aware Deployments on VMware are more secure than physical
  8. 8. VMware Transforms Security from Expensive to Cost Effective vShield eliminates the need for multiple special purpose  hardware appliances – 3-5x Savings Capex, Opex Load balancer  Firewall  VPN  Etc… vShield firewall VPN Load balancer Virtual Appliance 8 Confidential
  9. 9. VMware Transforms Security from Complex… VLAN’s agent Complex • Policies, rules implementation - no clear separation of duties; organizational confusion • Many steps – configure network, firewall and vSphere • Spaghetti of VLANs, Sprawl - Firewall rules, agents 9 Confidential Policies, Rules Network admin Security admin VI admin Overlapping Roles / Responsibilities Many steps. Configure •Network •Firewall •vSphere Define, Implement , Monitor, Refine, agent agent agent agent agent agent agent
  10. 10. … To Disruptively Simple Few steps: Configure vShield Define, Monitor, Refine, Implement Simple Network admin Security admin VI admin Clear separation of Roles / Responsibilities • Clear separation of duties • Few steps – configure vShield • Eliminate VLAN sprawl – vNIC firewalls • Eliminate firewall rules, agents sprawl 10 Confidential
  11. 11. VMware Turns Security from Rigid…  BEFORE vShield • Security groups tied to physical servers • “Air gaps”, i.e. physical isolation, between security groups • VMs in a security group cannot be vMotioned to other hosts DMZ PCI compliant “Air gap” 11 Confidential
  12. 12. ….to Adaptive  AFTER vShield • Security groups becomes a VM construct rather than physical server construct • Security groups enforced with VM movement • Mix VMs from different groups on the same host DDMZZ PPCCII C Coommpplliianntt 12 Confidential
  13. 13. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization – Key Security Enabler  vShield Products  Use cases  Summary 13 Confidential
  14. 14. Why VMware vShield is a Security Enabler ? 1. Unique introspection 2. Policy abstraction Cost Effective • Single virtual appliance with breadth of functionality • Single framework for comprehensive protection Simple • No sprawl in rules, VLANs, agents • Relevant visibility for VI Admins, network and security teams • Simplified compliance 14 Confidential Adaptive • Virtualization and change aware • Program once, execute everywhere • Rapid remediation
  15. 15. Security Enabler: Unique Introspection Introspect detailed VM state and VM-to-VM communications Processor vSphere + vShield   memory  Network 15 Confidential Benefits • Comprehensive host and VM protection • Reduced configuration errors • Quick problem identification • Reduced complexity – no security agents per VM required
  16. 16. Security Enabler: Policy Abstraction Separate the policy definition from the policy Before vShield Policy tied to the physical host; lost during vMotion After vShield Policy tied to logical attributes implementation 16 Confidential Benefits • Create and enforce security policies with live migration, automated VM load balancing and automated VM restart • Rapid provisioning of security policies • Easier compliance with continuous monitoring and comprehensive logging Policy tied to logical attributes; follow virtual machine
  17. 17. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization – Key Security Enabler  vShield Products  Use cases  Summary 17 Confidential
  18. 18. 2010 – Introducing vShield Products Securing the Private Cloud End to End: from the Edge to the Endpoint vShield Edge 1.0 Edge Secure the edge of the virtual datacenter vShield App 1.0 and Zones Security Zone Application protection from network based threats 18 Confidential vShield Endpoint 1.0 Endpoint = VM Enables offloaded anti-virus Virtual Datacenter 1 Virtual Datacenter 2 DMZ PCI compliant HIPAA compliant Web View VMware vShield VMware vShield VMware vShield Manager
  19. 19. vShield Edge Secure the Edge of the Virtual Data Center • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Network isolation(edge port group isolation) • Detailed network flow statistics for chargebacks, etc • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format VMware vShield Edge VMware vShield Edge VMware vShield Edge 19 Confidential Features Benefits • Lower cost and complexity by eliminating multiple special purpose appliances • Ensure policy enforcement with network isolation • Simplify management with vCenter integration and programmable interfaces • Easier scalability with one edge per org/tenant • Rapid provisioning of edge security services • Simplify IT compliance with detailed logging Tenant A Tenant C Tenant X Firewall Load balancer VPN Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance
  20. 20. vShield Lowers Cost of Security Significantly Cost per Mbps 50$ 45$ 40$ 35$ 30$ 25$ 20$ 15$ 10$ 5$ 0$ Network edge security solution (Firewall + VPN + Load balancer) Security appliances .5Gbps 1Gbps 10Gbps 100Gbps Throughput 20 Confidential vShield Edge >5x Assumptions • 100 VM per edge • vSphere & server costs • High availability Mbps = Megabits/sec Gbps = Gigabits/sec
  21. 21. vShield App Application Protection for Network Based Threats 21 Confidential Features • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format
  22. 22. vShield App Provides Adaptive Security with Policy Abstraction DDMZZ PPCCII C Coommpplliianntt Security groups enforced with VM movement Policies based on logical attributes 22 Confidential
  23. 23. vShield App Application Protection for Network Based Threats 23 Confidential Features • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format Benefits • Increase visibility for inter-VM communications • Eliminate dedicated hardware and VLANs for different security groups • Optimize resource utilization while maintaining strict security • Simplified compliance with comprehensive logging of inter VM activity
  24. 24. vShield Endpoint Offload Anti-virus Processing for Endpoints • Eliminate anti-virus agents in each VM; anti-virus off-loaded • Enforce remediation using driver in VM • Policy and configuration Management: through UI or REST APIs • Logging and auditing 24 Confidential Features to a security VM delivered by AV partners Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks and enforced remediation • Satisfy audit requirements with detailed logging of AV tasks
  25. 25. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization - Key Security Enabler  vShield Products  Use cases  Summary 25 Confidential
  26. 26. Service Provider - Offering Multi-Tenant Hosting Service Company A Company B Company C Company A Company B Company C • Host potentially hundreds or thousands of tenants in shared infrastructure with: • Traffic Isolation between the tenants • Complete protection and confidentiality of tenant apps and data • Integration with enterprise directory services (e.g. Active Directory) • Complying with various audit requirements 26 Confidential Requirements Solution – vShield Edge, VMware Cloud Director • Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN • Use enterprise directory services for security policies • Accelerate compliance by logging all traffic information on per-tenant basis • Lower cost of security by 100+% by eliminating purpose built appliances and by increasing utilization and VM density Cisco VPN Juniper VPN Checkpoint VPN Vmware vCloud Director vShield Edge
  27. 27. Enterprise - Securing Business Critical Applications DMZ Development Finance Development Finance • Deploy production and development applications in a shared infrastructure with: • Traffic segmentation between applications • Authorized access to applications • Strict monitoring and enforcement of rules on inter- VM communications • Ability to maintain security policies with VM movement • Compliance to various audit requirements 27 Confidential Requirements Solution - vShield App + Edge • Protect data and applications with hypervisor level firewall • Create and enforce security policies with virtual machine migration • Facilitate compliance by monitoring all application traffic • Improve performance and scalability with load balancer and software based solution VMware vShield App
  28. 28. Enterprise - Secure View Deployments Solution - vShield Endpoint+App+Edge • Improve performance by offloading AV processing • Reduce costs by freeing up virtual machine resources and eliminating agents • Improve security by streamlining AV functions to a hardened security virtual machine(SVM) • Protect View application servers from threats • Demonstrate compliance and satisfy audit requirements with detailed logging of offloaded AV tasks Public Network Private Network VMware vShield App 28 Confidential Requirements • Support thousands of internal and external View users with: • Comprehensive security for View servers • Anti virus agents to protect client data and applications • Optimal performance and scalability DMZ View Desktops Remote User Local User
  29. 29. Agenda  Cloud Computing & Security  Security – State of the Market  Virtualization – Key Security Enabler  vShield Products  Use cases  Summary 29 Confidential
  30. 30. vShield Edge 1.0 vs. vShield Zones 4.1 vs. vShield App 1.0 30 Confidential
  31. 31. vShield Products Product SKUs List/VM SnS vShield Edge 1.0 $150 Standard Basic, Production vShield Endpoint 1.0 $50 Standard Basic, Production NA vSphere SnS applies $110 Standard Basic, Production $110 Standard Basic, Production Notes •VMware Cloud Director – Includes vShield Edge subset(Firewall, DHCP, NAT) •vShield App – Includes vShield Endpoint •VMware View 4.5 Premier SKUs – Include vShield Endpoint 1.0 •All SKUs – Min 25-VM purchase 31 vShield Zones for vSphere 4.1 (Included in vSphere Advanced and above) vShield App 1.0 (includes Endpoint and Zones) $150 Standard Basic, Production Upgrade to full vShield Edge 1.0 from VMware Cloud Director Upgrade to vShield App 1.0 from vShield Endpoint 1.0 31 Confidential
  32. 32. vShield Wins Best of VMworld 2010 “VMware vShield marks a major improvement in security. It includes many essential features for virtualization security, and the ability to isolate traffic for different port groups is a highlight” 32 Confidential
  33. 33. Quotes  “Definitely, the integration of vShield, offering application, network and end point security for the cloud, is a big step..” – CloudAve, Krishnan Subramanian  “The vision of moving legacy and new applications between public and private clouds necessitates a virtual security approach that surpasses static edge filtering commonly found in AV, IPS and firewalls.” – ComputerWorld, Eric Ogren  “You’ve got to hand it to VMware …..this week’s VMworld, the company announced the VMware vShield family of security products.” – Enterprise Strategy Group, Jon Oltsik  “vShield should help IT managers ensure that VMs can be protected and isolated in the virtual network with technology that is baked into the virtualization infrastructure.” – eWEEK, Cameron Sturdevant  “VMware has finally taken virtual machine security and added it through the entire virtualization stack.. The dark horse feature of this product? Load balancing. I tried it in the lab – it takes 30 seconds to set up load balancing. No more need for expensive F5’s – this could be a real game changer.” – Brandon Hahn 33 Confidential
  34. 34. © 2009 VMware Inc. All rights reserved Thank You

×